AkdoorTea Propose Change

Actor(s): WageMole

AkdoorTea is a simple TCP RAT.

In August 2025, it was contained in a trojanized Nvidia CUDA toolkit package, delivered probably via the ClickFix technique. The package also contained an obfuscated BeaverTail payload, which suggests its attribution to the Contagious Interview campaigns.

AkdoorTea uses Base64 encryption combined with a single-byte XOR key for network traffic obfuscation.

The RAT supports five commands, one of which is to report its internal version, which is "01.01".

Its name was inspired by the similarity to a TCP RAT, referred to as "Akdoor", that was used in attacks leveraging ActiveX exploits against South Korean targets in April 2018.

References

There is no Yara-Signature yet.